I've recently set up HTTPS on the servers at work, running in parallel
with HTTP. For reasons which were good at the time and are still not
entirely wrong, we're using lighttpd as a front-end, and the process
was less trivial than I'd have preferred.

Because of the system architecture, I wanted DNS validation,
which in practice meant certbot in manual mode. OK, we can do that.
But what to do with the various files it produces? It turns out that
the answer is, and I put this here for anyone else who has to fight
the documentation:

concatenate cert.pem and privkey.pem to server.pem on the server

copy chain.pem to the server under that name

put both those files in the right place, owned and readable only by root

then include them in the server configuration, as well as a modern
cipher set (note different syntax from Apache, replacing + with -
and space with colon; note also cargo-culted list with obvious
inconsistency)